Forwarded From: phreak moi <hackerelitet_private>
http://www.wired.com/news/news/technology/story/15848.html
Dial-A-Strength Crypto on a Chip
by Chris Jones
4:00 a.m. 27.Oct.98.PST
In a development that could break a longstanding deadlock between Silicon
Valley and the Clinton administration, Hewlett-Packard and Wave Systems on
Tuesday will announce a new hardware system. It's designed to administer
encryption policies on PCs anywhere in the world.
"This is a significant announcement, because it is the first system that
creates a trusted client," said Doug McGowan, head of HP's VerSecure
division.
The Embassy (short for Embedded Application Security System) for
e-commerce is built on a programmable chip that, when added to a
computer's motherboard, can be adjusted to match prevailing encryption
policies. The companies said it will allow users to encrypt sensitive data
and communications to the maximum level that local regulations allow.
Embassy is designed to work with many of the existing cryptography schemes
that are commonly used by programmers. It will scramble data using
varying strengths of encryption, including triple DES, which is stronger
than the US Commerce Department's 56-bit limit on exported software.
Before the system can be used, it must be registered with a designated
local authority. That authority then activates the cryptography
application.
McGowan said the system is inexpensive and adheres to US export policy by
allowing local authorities to control the level of encryption that can be
used.
Currently, the Commerce Department restricts the export of cryptography
products on the grounds that they can be used to conceal the
communications between terrorists and hostile nations. The software
industry believes these rules create an unfair advantage for overseas
crypto developers.
"[The Clinton Administration and Commerce Department are] interested in a
stronger solution in hardware," McGowan said, since hardware can be
controlled more effectively than software. "But 90 percent of countries
have no domestic-use policies."
An important provision in the Embassy system is that users will have to
renew it annually with the local registry to ensure compliance with the
latest encryption policies.
If a government requires key recovery, the system will then be registered
so that law-enforcement officials will have access to scrambled data under
certain circumstances. Current encryption policies in France require key
recovery, for example. HP and other companies will establish registries in
countries around the world. So far, Canada, the United Kingdom, Germany,
France, Denmark, Japan, and Australia said they will allow the systems.
John Gilmore, co-founder of the Electronic Frontier Foundation, was
sharply critical of the new system. Although he had not examined the
specifications, he suggested there would be ways to circumvent it.
"When you contact the server to turn your crypto on, how does that server
know what country you're in?" Gilmore asked. "If these systems do spread,
bootleg certificates that turn them on would become popular."
The Commerce Department will not issue licenses for the technology until
the actual implementations have been tested, McGowan said, but the concept
behind the system has been reviewed and approved.
Wave Systems will provide chip manufacturers with the blueprints for the
system, enabling them to embed the specialized chips in PC motherboards.
Since no design modifications are necessary, the companies said it would
be easy for any PC manufacturer to incorporate the system.
Initially, Embassy will only work on Windows and Unix-based systems. NEC
is the first manufacturer to announce that it will ship computers next
year with the system included.
"This will be a key component of electronic commerce and extends the web
of security for all existing applications," said Steven Sprague, president
of Wave Systems. "For the first time, Microsoft applications with strong
cryptography can be distributed on a worldwide basis."
Developers will build applications to take advantage of the Embassy system
by using a set of programming interfaces, which will be licensed from HP.
The revenues generated from the licensing fees will pay for the system,
said McGowan, so that PC manufacturers and consumers would not absorb the
costs.
E-commerce systems, financial-transaction software, email programs and
pay-per-use applications are likely to adopt the technology first.
Existing applications could be retrofitted to work with the system, the
companies said.
HP has received Commerce Department approval to export the VerSecure
software in the past. The system allows local encryption policies to be
enforced and updated as needed.
Gilmore said that HP has previously complied with federal policies and
that Tuesday's announcement was no different, since it offers no guarantee
of real privacy protection whatsoever.
"What other black boxes have they put in this chip? Keystroke monitoring?
Recording traffic across the bus?" asked Gilmore. "If they're giving you a
black box, who's to say what other capabilities are actually in that
chip?"
-o-
Subscribe: mail majordomot_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]